Forum Discussion

Chris Snell's avatar
Chris Snell
Copper Contributor
Mar 02, 2026

Block Local Logon to enrolling user of an Intune Managed Device

Has anyone successfully managed to deploy a security baseline template or Configuration profile or proactive remediation script that can successfully block any AAD user from being able to logon to an...
Intune
Bogdan_Guinea's avatar
Bogdan_Guinea
Steel Contributor
Mar 04, 2026

Chris Snell​ 

Hi,

what about to create a local group (e.g., AllowedLogonUsers), then add the specific AAD user(s) — including the shared enrollment account via PowerShell script.

Then you create a CSP via Settings Catalog to reference the newly created local Group.

Check this references:

https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-Microsoft_Intune_Workflows#actaspartoftheoperatingsystem:~:text=User%20Rights%20Assignment-,AllowLocalLogOn,-Expand%20table

https://www.reddit.com/r/PowerShell/comments/piccz0/comment/hbq7wbm/?utm_source=share&utm_medium=web2x&context=3

Good luck!